Installation

This page documents the installation of the AIStor Key Encryption Service. You may require root or sudo permissions to perform some of the steps.

  1. Install the AIStor KES binary on each node in your KES cluster.

  2. Start the KES server

    The following command starts a single-node KES server with a data directory of /etc/kes/data and listens on port 7373:

    kes server --address :7373 --data /etc/kes/data --license SUBNET-LICENSE

    See the KES documentation for additional configuration options.

    For long-term production deployments, you can run KES as a systemd service. Modify the service file to include the --license SUBNET-LICENSE parameter in the ExecStart line.

  3. Connect to the KES server

    Once installed, set the following environment variables to allow the kes process to communicate with the remote KES server:

    export KES_SERVER=https://kes-1.example.net:7373
export KES_API_KEY=IDENTITY

    The IDENTITY corresponds to a configured identity with access to the KES server and API operations. You can retrieve the root identity by viewing the KES server startup logs. If you configured additional identities as part of the KES configuration you can specify those values instead.

    See the KES documentation on policies and identities for more information on identity and access management.

    The kes client by default must validate the remote KES server certificate as part of establishing a connection. The client uses both the system trust store of Certificate Authorities and the content of the $HOME/.kes/certs/CAs directory during validation. Ensure either the trust store or the CAs directory contain the necessary root and intermediate certificates for validating the remote KES server.